Changes

Jump to navigation Jump to search
4,646 bytes added ,  21:36, 2 September 2021
no edit summary
Line 1: Line 1: −
Ernie is the codename for the Syscon chip. The Syscon is for exemple responsible for handling button input (including power button), reading/writing to non-volatile storage (NVS) for storing system flags (mostly encrypted and signed). For example IDU flag is stored in NVS. Syscon is also responsible for maintaining the physical address to the resume buffer during [[Suspend]]. Communication between [[Kermit]] and Syscon is mainly through SPI (see [[SceSyscon]]) but there are also some GPIO pins connecting the two. The chip model is NEC/Renesas <code>uPD79F0109</code> and is likely custom designed for Sony.  
+
Ernie is the codename for the Syscon chip. The Syscon is for exemple responsible for handling button input (including power button), reading/writing to non-volatile storage (NVS) for storing system flags (mostly encrypted and signed). For example IDU flag is stored in NVS. Syscon is also responsible for maintaining the physical address to the resume buffer during [[Suspend]]. Communication between [[Kermit]] and Syscon is mainly through SPI (see [[SceSyscon]]) but there are also some GPIO pins connecting the two. The chip model is NEC/Renesas <code>uPD79F0109</code> and is likely custom designed for Sony.
    
See also: [[Ernie Secure]]
 
See also: [[Ernie Secure]]
Line 100: Line 100:  
</pre>
 
</pre>
   −
Then another set of shared sequence. Some differences in the warmboot responses though. On line 18, <pre>FF BF FF 74</pre> becomes <pre>FF FF FF 74</pre>. On line 12, the <pre>00 00 00 00</pre> becomes the address of the resume buffer (ex <pre>F0 1E 1F 41</pre>).
+
Then another set of shared sequence. Some differences in the warmboot responses though. On line 18, <pre>FF BF FF 74</pre> becomes <pre>FF FF FF 74</pre>. On line 12, the <pre>00 00 00 00</pre> becomes the physical address of the resume context buffer. Example:
 +
<pre>F0 1E 1F 41</pre>
    
<pre>
 
<pre>
Line 182: Line 183:  
== CMD 0x0001 - GetBaryonVersion ==
 
== CMD 0x0001 - GetBaryonVersion ==
   −
Gets some device specific version. Can also be seen in the packet header in [[Syscon Update]]. Also sent at kernel boot.
+
Gets version of the current installed Ernie firmware. Can also be seen in the packet header in [[Syscon Update]]. Also sent at kernel boot.
    
<pre>
 
<pre>
Line 202: Line 203:  
</pre>
 
</pre>
   −
== CMD 0x0002 ==
+
== CMD 0x0002 - GetBaryonTimestamp ==
Gets syscon version string. Likely refers to hardware version. Also sent at kernel boot.
+
 
 +
Gets syscon firmware timestamp. Also sent at kernel boot.
 +
 
 
<pre>
 
<pre>
 
SEND 3    > [2.882249083333333] 0x0002, payload=[ | ], chk=0xFC
 
SEND 3    > [2.882249083333333] 0x0002, payload=[ | ], chk=0xFC
Line 328: Line 331:  
</pre>
 
</pre>
   −
== CMD 0x0090 - VS Read ==
+
== CMD 0x0090 - Scratch Pad Read ==
   −
This command reads data from Ernie Volatile Storage. This is the inverse of command 0x91.
+
This command reads data from Ernie Scratch Pad. This is the inverse of command 0x91.
    
This is used for example to fetch the saved resume context buffer physical address. Kernel sets this before suspending and this value is passed to the resume function. See [[Suspend]]. The format is 2 byte offset and 1 byte length.
 
This is used for example to fetch the saved resume context buffer physical address. Kernel sets this before suspending and this value is passed to the resume function. See [[Suspend]]. The format is 2 byte offset and 1 byte length.
Line 341: Line 344:  
</pre>
 
</pre>
   −
== CMD 0x0091 - VS Write ==
+
== CMD 0x0091 - Scratch Pad Write ==
   −
This command writes data to Ernie Volatile Storage. This is the inverse of command 0x90.
+
This command writes data to Ernie Scratch Pad. This is the inverse of command 0x90.
    
== CMD 0x0800 - Get USB Info ==
 
== CMD 0x0800 - Get USB Info ==
Line 354: Line 357:  
</pre>
 
</pre>
   −
== CMD 0x0100 - GetBootControlsInfo ==
+
== CMD 0x0100 - GetControlsInfo ==
    
See [[KBL Param#Boot Controls Info|Boot Controls Info]].
 
See [[KBL Param#Boot Controls Info|Boot Controls Info]].
Line 398: Line 401:  
</pre>
 
</pre>
   −
== CMD 0x0103 ==
+
== CMD 0x0103 - Get Multi Connector Info ==
Unknown. Likely happens after initial boot.
+
 
 +
Likely happens after initial boot.
 +
 
 
<pre>
 
<pre>
 
SEND 27  > [4.177586083333333] 0x0103, payload=[ | ], chk=0xFA
 
SEND 27  > [4.177586083333333] 0x0103, payload=[ | ], chk=0xFA
 
RESP 27  < [4.177586083333333] 0x0000, flags=00, payload=[00 FF 04 00 | ....], chk=0xF6, unk=0x31
 
RESP 27  < [4.177586083333333] 0x0000, flags=00, payload=[00 FF 04 00 | ....], chk=0xF6, unk=0x31
 
</pre>
 
</pre>
 +
 +
= Syscon Scratch Pad =
 +
 +
{| class="wikitable"
 +
|-
 +
! Offset !! Size !! Name !! Comment !! Used by
 +
|-
 +
| 0x0 || 8 || unknown ||  ||
 +
|-
 +
| 0x8 || 4 || Syscon power on time || ex on DevKit: 0xA, 0x16, 0x1F, 0x24. ex on retail: 0x01BC0CD0, 0x05AC1AF7, 0x80000269 || [[SceRtc#sceRtcSetCurrentTickForDriver]]
 +
|-
 +
| 0xC || 4 || Resume context physical address || Set on retail. Not set on DevKit. ex: 0x411F1EF0 || second_loader
 +
|-
 +
| 0x10 || 5 || Current Tick || Set on retail and DevKit. Stored in microseconds since 01/01/0001 divided by 2^19. || [[SceRtc#sceRtcSetCurrentTickForDriver]]
 +
|-
 +
| 0x15 || 3 || padding ||  ||
 +
|-
 +
| 0x18 || 5 || Current Secure Tick || Set on retail. Not set on DevKit. || [[SceRtc#sceRtcSetCurrentSecureTickForDriver]]
 +
|-
 +
| 0x1D || 5 || Current Network Tick || Always a bit earlier than Current Tick and Current Secure Tick. || [[SceRtc#sceRtcSetCurrentNetworkTickForDriver]]
 +
|-
 +
| 0x22 || 5 || unknown Tick || Set on DevKit. Not set on retail. ?Current Debug Secure Tick? || [[SceRtc]]
 +
|-
 +
| 0x27 || 5 || unknown Tick || ?Current Debug Secure Tick? || [[SceRtc#SceRtcForDriver_A7236656]]
 +
|-
 +
| 0x2C || 5 || Current Debug Network Tick ||  || [[SceRtc#sceRtcSetCurrentDebugNetworkTickForDriver]]
 +
|-
 +
| 0x31 || 0x8F || unknown || Maybe reserved. Probably unused. ||
 +
|-
 +
| 0xE0 || 0x20 || CP DIP switches || Set on DevKit. Not set on retail. || second_loader
 +
|}
 +
 +
== Types ==
 +
 +
<source lang="C">
 +
typedef struct SceSysconRtcTick { // size is 5 bytes
 +
  uint8_t tick[5];
 +
} SceSysconRtcTick;
 +
 +
typedef struct SceSysconScratchPad { // size is 0x100 bytes
 +
  uint8_t unk_0[8];
 +
  SceUInt32 powerOnTime;
 +
  void *resumeContextPA;
 +
  SceRtcSysconTick currentTick;
 +
  uint8_t padding[3];
 +
  SceSysconRtcTick currentSecureTick;
 +
  SceSysconRtcTick currentNetworkTick;
 +
  SceSysconRtcTick unk_22;
 +
  SceSysconRtcTick unk_27;
 +
  SceSysconRtcTick currentDebugNetworkTick;
 +
  uint8_t reserved[0x8F];
 +
  SceDIPSW dipsw;
 +
} SceSysconScratchPad;
 +
</source>
    
= NVS =
 
= NVS =
Line 410: Line 469:     
On FW 3.60, NVS size is 0xB60 bytes:
 
On FW 3.60, NVS size is 0xB60 bytes:
* Area from 0 to 0x3FF cannot be read using sceSblSsNvsReadForKernel nor written using sceSblSsNvsWriteForKernel. This area is handled by Secure Modules.  
+
* Area from 0 to 0x3FF cannot be read using [[SceSblSsMgr#sceSblNvsReadForKernel]] nor written using [[SceSblSsMgr#sceSblNvsWriteForKernel]]. This area is handled by Secure Modules. See [[Ernie Secure#SNVS]].
* Area from 0x400 to 0x75F is handled by NS Kernel SceSblSsMgr.
+
* Area from 0x400 to 0x75F is handled by NS Kernel [[SceSblSsMgr]].
* Area from 0x760 to 0xB5F seems to be unused. It is reserved for Test and Tool consoles.
+
* Area from 0x760 to 0xB5F are reserved for Test and Tool consoles. However this area seems unused.
    
{| class="wikitable"
 
{| class="wikitable"
Line 418: Line 477:  
! Offset !! Size !! Name !! Comment !! Used by
 
! Offset !! Size !! Name !! Comment !! Used by
 
|-
 
|-
| 0 || 0x20 || Mgmt Data || Embeds SNVS flags and ProductMode. Used for Update, PM and QAF. || "sceSblQafManagerSetFlag" (sub_81001610 on FW 0.990), "SpkgInfoUtilGetSNVSFlagStatus" and "SpkgInfoUtilSetSNVSFlagStatus" (on FW 0.931), setProductMode
+
| 0 || 0x400 || SNVS || See [[Ernie Secure#SNVS]]. ||
 
|-
 
|-
| 0x20 || 0x280 || SNVS Sectors || 19 XTS encrypted sectors of size 0x20 bytes handled by update_service_sm.self || "SpkgInfoUtilInitForUpdater" on FW 0.931
+
| 0x400 || 0x80 || Qaf Token || || second_loader
 
|-
 
|-
| 0x2A0 || 0x20 || Qa Flag Version || 0x10 bytes data + 0x10 bytes AES128CMAC || "sceSblQafManagerSetQaFlagVersion" on FW 0.940
+
| 0x480 || 0x1 || Qaf Token Flag || 1 when Qaf Token is not set (FFed), 0 when Qaf Token is set || second_loader
 
|-
 
|-
| 0x2C0 || 0x140 || Unknown || ||
+
| 0x481 || 0x1 || Extra UART Flag || See [[KBL Param#Boot flags]]. || second_loader
 
|-
 
|-
| 0x400 || 0x80 || Qaf Token || ||
+
| 0x482 || 0x1 || Unknown || || [[SceSblSsMgr#sceSblSsGetNvsDataForDriver]], [[SceSblSsMgr#sceSblSsSetNvsDataForDriver]]
 
|-
 
|-
| 0x480 || 1 || Is Qaf Token not set || 1 when Qaf Token is not set (FFed), 0 when Qaf Token is set ||
+
| 0x483 || 0x1 || Safe Mode Flag || See [[KBL Param#Boot flags]]. || [[SceSblSsMgr#sceSblSsGetNvsDataForDriver]], [[SceSblSsMgr#sceSblSsSetNvsDataForDriver]], second_loader
 
|-
 
|-
| 0x481 || 0x1F || Unknown || ||
+
| 0x484 || 0x1 || Unknown || ||
 
|-
 
|-
| 0x4A0 || 0x10 || [[KBL Param#Boot flags]] || || sceSblUsGetUpdateModeForUser, sceSblUsSetUpdateModeForUser
+
| 0x485 || 0x1 || Unknown || ||
 
|-
 
|-
| 0x4B0 || 0x30 || Unknown || ||
+
| 0x486 || 0x1 || Internal Storage Flag || See [[KBL Param#Boot flags]]. Not present on FWs 0.931-0.990. Present on FW 3.60. || [[SceSblSsMgr#sceSblSsGetNvsDataForDriver]], [[SceSblSsMgr#sceSblSsSetNvsDataForDriver]], second_loader
 
|-
 
|-
| 0x4E0 || 0x20 || Unknown per device ASCII string ?VisibleId? || ||
+
| 0x487 || 0x1 || Unknown || See [[KBL Param#Boot flags]]. || second_loader
 
|-
 
|-
| 0x500 || 0x20 || Unknown || ||
+
| 0x4A0 || 0x1 || Update Mode || See [[KBL Param#Boot flags]]. || [[SceSblUpdateMgr#sceSblUsGetUpdateModeForUser]], [[SceSblUpdateMgr#sceSblUsSetUpdateModeForUser]]
 
|-
 
|-
| 0x520 || 0x80 || Activation Area || first 0x20 bytes are SceNVSKitActivationData ||
+
| 0x4A1 || 0x3 || Unknown. Unused. || ||
 
|-
 
|-
| 0x5A0 || 0x100 || Qaf Token RSA signature || Not present on FW 0.990. Present on FW 3.60. Maybe added on FW 1.80. ||
+
| 0x4A4 || 0x4 || System Language || || [[SceRegistryMgr]], [[SceSblSsMgr#sceSblSsGetNvsDataForDriver]], [[SceSblSsMgr#sceSblSsSetNvsDataForDriver]]
 
|-
 
|-
| 0x6A0 || 0xC0 || Unknown || ||
+
| 0x4A8 || 0x1C || Unknown. Unused. || ||
 +
|-
 +
| 0x4C4 || 0x1 || Unknown. Set to 0 by default. || ||
 +
|-
 +
| 0x4C5 || 0x1B || Unknown. Unused. || ||
 +
|-
 +
| 0x4E0 || 0x20 || Unknown per device ASCII string of length 22 characters ?VisibleId? || || [[SceSblSsMgr#sceSblSsGetNvsDataForDriver]], [[SceSblSsMgr#sceSblSsSetNvsDataForDriver]]
 +
|-
 +
| 0x500 || 0x1 || Wlan/Bt Flag || || [[SceSblSsMgr#sceSblSsGetNvsDataForDriver]], [[SceSblSsMgr#sceSblSsSetNvsDataForDriver]], [[SceWlanBt]] module_start
 +
|-
 +
| 0x501 || 0x1F || Unknown. Unused. || ||
 +
|-
 +
| 0x520 || 0x80 || Activation Area || first 0x20 bytes are SceNVSKitActivationData || [[SceSblSsMgr]], [[SceSblPostSsMgr]]
 +
|-
 +
| 0x5A0 || 0x100 || Qaf Token RSA signature || Not present on FW 0.990. Present on FW 3.60. Maybe added on FW 1.80. || second_loader
 +
|-
 +
| 0x6A0 || 0xC0 || Unknown. Unused. || ||
 +
|-
 +
| 0x760 || 0x400 || Reserved for Test and Tool. || Seems unused. ||
 
|}
 
|}
   Line 516: Line 593:     
== Hardware Versions ==
 
== Hardware Versions ==
 +
 +
There are three hardware versions of Ernie:
 +
* NEC 78K0R/Kx3-L: present on early PS Vita prototypes (never seen)
 +
* NEC 78K0R/Kx3: present on Fat PS Vita and PS TV models, including some prototypes such as DEM-3000L
 +
* Renesas RL78/G13: present on Slim PS Vita models
 +
 +
=== NEC 78K0R/Kx3-L ===
 +
 +
Never seen yet but exists according to Ernie update packages.
 +
 +
=== NEC 78K0R/Kx3 ===
 +
 +
NEC D79F0109 (78K0R/KH3, 121 pin)
 +
 +
Device Name : D79F0109
 +
 +
Other Device Name : SK0RT02N200GV120 (on DEM-3000L and PCH-1000)
 +
 +
Label:
 +
<pre>
 +
Model <- always D79F0109
 +
Revision <- on DEM-3000H: ES1.0, blank on others
 +
Build <- XXYYZZWWW <- XX: year, YY: week, ZZ: 2 letters (unknown usage), WWW: serial number
 +
Manufacturing country <- always "MALAYSIA"
 +
</pre>
 +
 +
=== Renesas RL78/G13 ===
 +
 +
Renesas R5F1ZCRK (RL78/G13, 121 pin)
 +
 +
<pre>
 +
R5F1ZCRKABG#U0
 +
R5    Renesas MCU
 +
F      Flash
 +
1      RL78
 +
Z      Customer specific
 +
C      Product group
 +
R      121-pin
 +
K      384KB
 +
A      Consumer grade
 +
BG    VFBGA 0.4mm
 +
#U0  Tray*2
 +
</pre>
 +
 +
<pre>
 +
Device Name : R5F1ZCRK
 +
Device Code : 10 00 06
 +
Firmware Version : V3.03
 +
Code Flash 1 (Address : 0x00000000,  Size : 384 K,  Erase Size : 1 K)
 +
Data Flash 1 (Address : 0x000F1000,  Size : 8 K,  Erase Size : 1 K)
 +
</pre>
 +
 +
Label:
 +
<pre>
 +
(C) XXXX <- Year
 +
Revision <- A0xxx SCEI
 +
Build <- XXYYZZWWW <- XX: year, YY: week, ZZ: 2 letters (unknown usage), WWW: serial number
 +
Unknown data
 +
</pre>
 +
 +
== Block sizes ==
 +
 +
Ernie flash memory is erasable in blocks. Size of one block in bytes depends on the hardware version:
 +
* NEC 78K0R/Kx3-L: 0x800
 +
* NEC 78K0R/Kx3: 0x400
 +
* Renesas RL78/G13: 0x400
    
See also [https://playstationdev.wiki/psvitadevwiki/index.php?title=Ernie].
 
See also [https://playstationdev.wiki/psvitadevwiki/index.php?title=Ernie].
5,751

edits

Navigation menu